Charter for Working Group

One form of attack on computing systems connected to the Internet iseavesdropping on network connections to obtain login id's and passwordsof legitimate users [RFC 1704]. Bellcore's S/KEY(TM) one-time passwordsystem was designed to counter this type of attack, called a replayattack [RFC 1760]. Several one-time password implementations compatiblewith Bellcore's S/KEY (TM) system exist. These implementations areincreasingly widely deployed in the Internet to protect against passiveattacks.

The object of this working group is to write a standards track RFC forone-time password technology, using the technology in the BellcoreS/KEY system and related interoperable packages (e.g., logdaemon, NRLOPIE) as the basis for the group's effort. The standards-track RFC willenhance multi-vendor interoperability in one-time passwordauthentication technologies and thereby help reduce security risks inthe Internet.

General authentication servers are outside the scope of this workinggroup. The ``S/Key-0'' system being considered for use in Kerberos isoutside the scope of this working group.

The standards-track specification will describe how this one-timepassword technology can be used with at least the MD4, MD5, and SHAalgorithms. The standard one-time password dictionary from RFC 1760will be reused in order to maintain backwards compatibility with thevarious deployed systems, however, support for hexadecimal formatpasswords will also be mandatory to implement. The standard mightspecify passphrase quality checks for the secret passphrase. Thestandard will be specified so as to eliminate any possible conflictwith the Bellcore trademark on the term ``S/Key.''

An Informational RFC might also be issued that describes conventionsfor the UNIX commands relating to one-time passwords, includingcommand(s) to securely update a remote one-time password.

Milestones

Date

Milestone

Done

Submit Internet-Draft on OTP optional Extensions to IESG for consideration of publication as an RFC.

Done

Submit Internet-Draft on optional extensions to OTP.

Done

Submit One-Time Password document to IESG for consideration as a Proposed Standard.